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Claim Rejections - 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1 ) an application for patent, published under section 1 22(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

2. Claims 1-3, 5, and 9 are rejected under 35 U.S.C. 102(e) as being anticipated by 



Nazzal (US 2004/0261030). 
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Nazzal discloses an anomaly detection system having data sources located on or 
constituting the network with means for generating network-security relevant data 
("Network Devices" See fig. 2 ref. no. 15 and paragraphs 42-44), an input module with 
input handlers for various protocols to connect to the data sources ("Collectors" See 
figs. 1-2 ref. no. 12 and paragraphs 42-44), at least one data processing module 
connected to the input module for access to the data sources with means for translating 
the network-security relevant data into quantitative variable ("Aggregator" See figs. 1-2 
ref. no. 14, paragraphs 44-46 and 52), a supervisory system with means for presenting 
the quantitative variables to a security system operator ("Graphic User Interface of the 
Operator Console" See fig. 1 ref. no. 16, fig. 29 ref. no. 300, fig. 30 ref. no. 310, 
paragraph 52, 193, and 196-200), and an interface module with means for transferring 
the quantitative variable from the processing module to the supervisory system 
("Operator Console" See fig. 1 ref. no. 16 and paragraph 42). 
Regarding Claim 2: 

Nazzal discloses the network devices are switches, hosts, routers, SPAN ports, 
or other passive link taps (See paragraph 42). 

Regarding Claim 3: 

Nazzal discloses the network-security relevant data is current bytes/second, 
packet/second, connections/hour, as well as other statistics (See paragraph 45). 
Regarding Claim 5: 

Nazzal discloses the aggregator receives reports from collectors and groups of 
collectors (See paragraphs 43-44). 
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Regarding Claim 9: 

Nazzal discloses aggregator stores historical data for anomaly detection system 
for comparison to current data for the anomaly detection system (See paragraph 45). 



Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary sl<ill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 4 and 6 are rejected under 35 U.S.C. 103(a) as being obvious over 



Nazzal (US 2004/0261030) in view of Symantec Antivirus for Macintosh copyright 1994. 
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Nazzal discloses the above stated anomaly detection system having means for 
displaying the quantitative variables to a system operator ("Graphic User Interface of the 
Operator Console" See fig. 1 ref. no. 16, fig. 29 ref. no. 300, paragraph 42, and 
paragraph 193) where the means for displaying the quantitative variables displays 
quantitative variables as quantitative trend graphs with historical data storage and zoom 
in/out function (See fig. 29 ref. no. 300). 

Nazzal does not disclose the graphic user interface of the operator console has 
reaction facilities with means for initiating predefined countermeasures. 

Symantec discloses responding to a suspicious activity by presenting the user 
with an alert box having a description of the suspicious activity, an allow option, a deny 
option, and a remember option (See pages 4-9 and 4-10). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the anomaly detection system disclosed by Nazzal to include 
operator based responses to a suspicious activity such as that taught by Symantec in 
order to prevent the anomaly detection system from automatically responding legitimate 
activities that are reported as suspicious activities (See Symantec page 4-9). 

5. Claims 7-8 are rejected under 35 U.S.C. 103(a) as being obvious over Nazzal 
(US 2004/0261030) in view of Symantec Antivirus for Macintosh copyright 1994 further 
in view of Bhattacharya (US 2005/0060562). 

The above stated combination of Nazzal and Symantec Antivirus discloses 
anomaly detection system having means for displaying status a summary of the 
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anomalies identified ("Graphic User Interface of the Operator Console" See Nazzal fig. 1 
ref. no. 16, fig. 29 ref. no. 300, paragraph 42, and paragraph 193) where event severity 
is coded by a color or other indicia applied to the event or an icon to attract the user's 
attention (See Nazzal paragraph 196). 

The above stated combination of Nazzal and Symantec Antivirus does not 
disclose displaying a schematical depiction of the network and device structure and 
topology. 

Bhattacharya discloses a system for displaying network security incidents that 
displays a schematical depiction of the network and device structure and topology (See 
figs. 4a-4b and 5a-5b). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to include in the graphic user interface of the operator console disclosed by 
Nazzal and Symantec a schematical depiction of the network and device structure and 
topology such as that disclosed by Bhattacharya in order to provide the operator with an 
overview of the scope of the network (See Bhattacharya paragraph 44). 

6. Claims 10-15 and 18 are rejected under 35 U.S.C. 103(a) as being obvious over 
Rangachari (US 2003/0176940) in view of Nazzal (US 2004/0261030) in further view of 
Symantec Antivirus for Macintosh copyright 1994. 
Regarding Claim 10 and 13: 

Rangachari discloses an automation system for semiconductor fabrication having 
means for controlling the process of the automation system over the network 
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("Computer System having Multiple GUIs" See fig. 6 ref. nos. 502, 521 , and paragraplis 
54-55), the controlling means includes a human machine interface ("Multiple GUIs" See 
fig. 6 ref. no. 502 and paragraphs 54-55) with means for displaying information about 
the automation system to an automation system operator ("The GUI also provides a 
display of the equipment specific and process specific data." See paragraph 55) and 
means for entering commands for controlling the automation system ("The GUI also 
provides additional functions including an operator interface for the automation system 
for displaying the computer program related information; a manual operation mode for 
the SMIF input-output, including load, unload, read, Auto-ID device, initialize Auto-ID 
device, home, etc." See paragraph 55). 

Rangachari does not disclose the automation system operator workstation is 
connected to a security system with the supervisory system is integrated into the 
automation system controlling means, the status and trend presenting means being 
included in the information displaying system of the human machine interface and the 
countermeasures initiating means being integrated in the commands entering means. 

Nazzal discloses the above stated anomaly detection system having a 
supervisory system with means for presenting processed data to a security system 
operator ("Graphic User Interface of the Operator Console" See fig. 1 ref. no. 16, fig. 29 
ref. no. 302, paragraph 42, and paragraph 193) and a status and trend presenting 
means (See fig. 29 ref. no. 300). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to include in the automation system for semiconductor fabrication disclosed by 
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Rangachari the anomaly detection system taught by Nazzai in order to provide the 
system operator with early detection of network attacks and security violations (See 
Nazzai paragraph 3). 

Symantec discloses responding to a suspicious activity by presenting the user 
with an alert box having a description of the suspicious activity, an allow option, a deny 
option, and a remember option (See pages 4-9 and 4-10). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the above stated combination of the automation system for 
semiconductor fabrication disclosed by Rangachari and the anomaly detection system 
disclosed by Nazzai to include operator based responses to a suspicious activity such 
as that taught by Symantec in order to prevent the anomaly detection system from 
automatically responding legitimate activities that are reported as suspicious activities 
(See Symantec page 4-9). 
Regarding Claim 11: 

The above stated combination of Rangachari, Nazzai, and Symantec Antivirus 
discloses the network devices are switches, hosts, routers, SPAN ports, or other 
passive link taps (See Nazzai paragraph 42) 
Regarding Claim 12: 

The above stated combination of Rangachari, Nazzai, and Symantec Antivirus 
discloses the network-security relevant data is current bytes/second, packet/second, 
connections/hour, as well as other statistics (See Nazzai paragraph 45). 
Regarding Claim 14: 
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The above stated combination of Rangachari, Nazzal, and Symantec Antivirus 
discloses the aggregator receives reports from collectors and groups of collectors (See 
Nazzal paragraphs 43-44). 
Regarding Claim 15: 

The above stated combination of Rangachari, Nazzal, and Symantec Antivirus 
discloses the means for displaying the quantitative variables displays quantitative 
variables as quantitative trend graphs with historical data storage and zoom in/out 
function (See fig. 29 ref. no. 300) 
Regarding Claim 18: 

The above stated combination of Rangachari, Nazzal, and Symantec Antivirus 
discloses aggregator stores historical data for anomaly detection system for comparison 
to current data for the anomaly detection system (See Nazzal paragraph 45). 

7. Claims 16-17 are rejected under 35 U.S.C. 103(a) as being obvious over 
Rangachari (US 2003/0176940) in view of Nazzal (US 2004/0261030) in further view of 
Symantec Antivirus for Macintosh copyright 1994 in further view of Bhattacharya (US 
2005/0060562). 

The above stated combination of Rangachari Nazzal, and Symantec Antivirus 
discloses automation system for semiconductor fabrication having an anomaly detection 
system with a means for displaying status a summary of the anomalies identified 
("Graphic User Interface of the Operator Console" See Nazzal fig. 1 ref. no. 16, fig. 29 
ref. no. 300, paragraph 42, and paragraph 193) where event severity is coded by a color 
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or other indicia applied to the event or an icon to attract the user's attention (See Nazzal 
paragraph 196). 

The above stated combination of Rangachari, Nazzal, and Symantec Antivirus 
does not disclose displaying a schematical depiction of the network and device structure 
and topology. 

Bhattacharya discloses a system for displaying network security incidents that 
displays a schematical depiction of the network and device structure and topology (See 
figs. 4a-4b and 5a-5b). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to include in the graphic user interface of the operator console disclosed by 
the combination of Rangachari, Nazzal, and Symantec Antivirus a schematical depiction 
of the network and device structure and topology such as that disclosed by 
Bhattacharya in order to provide the operator with an overview of the scope of the 
network (See Bhattacharya paragraph 44). 

Response to Arguments 

8. Applicant's arguments filed February 2, 2009 have been fully considered but they 
are not persuasive. 

In response to the applicants' argument that the anomaly detection system of 
Nazzal does not present a basic quantitative variable of network security data to a 
security system operator, the examiner disagrees with the applicants' interpretation of 
Nazzal. The examiner respectfully points out that the anomaly detection system of 
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Nazzal has an operator console (See fig. 1 ref. no. 16) with a graphical user interface 
(See fig. 29 ref. no. 300 and fig. 30 ref. no. 310) that displays the normal and now Bytes 
Per Second being measured by probe 3, the normal and now Packets Per Seconds 
being measured by Probe 3, and the normal and now Host Pair Connection Attempts 
Per Minute (See fig. 30 and paragraphs 196-200). The Bytes Per Second, the Packets 
Per Second, and the Host Pair Connections Attempts Per Minute are quantitative 
variables because they are measured on a numeric scale. The Bytes Per Second, the 
Packets Per Second, and the Host Pair Connections Attempts Per Minute are network 
security data because they are compared with a threshold based on historical values to 
determine the type of attack and its severity (See paragraphs 193-200). Therefore, the 
applicants' argument that the anomaly detection system of Nazzal does not present a 
basic quantitative variable of network security data to a security system operator is not 
persuasive. 

In response to the applicants' argument that the anomaly detection system of 
Nazzal does not have an apparent role for the user other than passively viewing the 
displayed result, the examiner disagrees with the applicants' interpretation of Nazzal. 
The examiner respectfully points out that the user of the anomaly detection system of 
Nazzal has the ability to snooze future alerts related to a selected event for a fixed 
period of time (See fig. 30 ref. no. 314 and paragraph 201-202). However, the examiner 
does acknowledge that anomaly system of Nazzal automatically responds to attacks 
instead of responding to a user input indicating that the system is being attacked. The 
examiner further points out that independent claim 1 does not recite any claim language 
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that causes the claimed networl< security system to perform an act in response to a user 
input indicating the system is being attacked. Therefore, the applicants' argument that 
the anomaly detection system of Nazzal does not have an apparent role for the user 
other than passively viewing the displayed result is not persuasive. 

Conclusion 

9. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to BRETT SQUIRES whose telephone number is (571) 
272-8021 . The examiner can normally be reached on 9:30am - 6:00pm Monday - 
Friday. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, William Korzuch can be reached on (571 ) 272-7589. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/BS/ 



/William R. Korzuch/ 

Super 
visory Patent 
Examiner, 
Art Unit 2431 



